VDB

GCVE-110-OSM-2026-1827

GCVE-110-OSM-2026-1827
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 11, 2026
Multi-chain stealer with persistent SSH backdoor. Executes at postinstall via node test.js. Payload is a doubly-escaped Function('qUEpOZp', codeString) wrapper with 48 base91 alphabets — static tools (webcrack, synchrony) cannot decode it. Attack chains: (1) SSH persistence: fetches attacker public key from cloudflareinsights.vercel.app/api/ssh-key, writes to ~/.ssh/authorized_keys, executes sudo ufw enable and sudo ufw allow 22/tcp — backdoor survives package removal; (2) Filesystem exfiltration: crawls for .env, id.json, config.toml (crypto wallet files) and POSTs them to C2 as octet-stream; (3) System fingerprint beacon to /api/v1; (4) Dynamic C2 tasking via /api/scan-patterns and /api/block-patterns. Cross-platform: Linux, macOS, Windows (wmic logicaldisk get name for drive enumeration). C2 infrastructure impersonates Cloudflare analytics and security branding on Vercel PaaS. test.js (27KB, postinstall entry): Function('kqtIJj5', codeString)(env) wrapper containing 8 decoder functions with distinct base91 alphabets. index.js (189KB, required by test.js): Function('qUEpOZp', codeString)(env) wrapper containing 48 decoder functions, 460-element encoded string array (rotation offset 0x1b=27), and switch/case state machine implementing all four attack chains. C2 URLs split into 8-char string chunks to evade regex. SSH key delivered dynamically from /api/ssh-key (not hardcoded), allowing operator key rotation without re-publishing.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownlint-nule1.0.4 (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›